New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows
Mar 11, 2024 by Dr. Divya Sridhar, Vice President, Global Privacy Division and Privacy Initiatives Operations, BBB National Programs
President Biden closed February 2024 with an Executive Order (EO) that signaled an important development for how the U.S. plans to position and guard itself – through new rules established by the Department of Justice - against global adversaries such as China, Iran, and Russia. The EO speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader.
Meanwhile, a slew of Congressional actions, including newly introduced bills out of the House Energy & Commerce Committee, are also tackling the same considerations, aspiring to solve the issue of the overcollection, sharing, and sale of consumers’ personal data, including sensitive data by certain third parties, defined loosely as “data brokers.”
The news comes on the heels of recent Congressional hearings about the nature, data privacy practices, and potential misuse of foreign-owned companies such as TikTok that have a bulk of American users and their respective sensitive data.
The Takeaways
The United States is not declaring a position of data localization.
“Data free-flow with trust” remains the essential guiding principle for the international cooperation on data flows, coming out of the World Economic Forum’s meetings, as well as meetings with the G7, G20, and OECD in recent years.
The United States is not trying to close off digital data flows or close up into a cocoon of its own. Rather, it is setting restrictions that impose stronger safeguards to uphold its position as a world leader and continue to do business with other countries that follow the same guiding principles. For example:
- The U.S. recently reworked its agreement with the European Union on the Data Privacy Framework (DPF) on all transatlantic data flows, with a strengthened U.S. Data Protection Review Court, to further mitigate the risk of a Schrems-like debate, ruling, or violation.
- The U.S. Federal Trade Commission (FTC) has offered its handshake by signing onto the Global Cooperation Arrangement for Privacy Enforcement (CAPE) agreement on the Cross Border Privacy Rules program, which is soon to go global in nature.
The economic consequences are meant to sustain and promote the digital economy, not shrink it.
While the EO does not include an exact fiscal impact or dollar value attached to it, the agreement does signal the U.S. taking a more cautious approach toward data protections, which could have important short-term repercussions on digital data flows, especially for U.S.-headquartered multinational companies working with international vendors and third parties (located and subject to other nations’ laws) that were not under previous restrictions. This is particularly true for U.S. companies operating on many different standards and frameworks, all in the absence of a U.S. comprehensive federal privacy law.
The EO builds global uniformity on how regulators view “privacy.”
Definitions vary when it comes to how personal information is defined, how “sensitive” or “special category” data is defined, and how that data is shared between affiliated and nonaffiliated entities. For example, the FTC recently stated that “browsing and location data are sensitive. Full stop.”
The FTC is taking the position that collecting and sharing web browsing data -- without consent -- is a problem. This poses some challenges for companies to clearly determine where they are crossing a line in different jurisdictions. At the same time, the EO provides further clarity for companies that aren’t currently involved in any data mapping or data review practices, but should be referencing interoperable frameworks such as the global CBPR to gather a sense of the shared meaning.
The EO may create the opportunity for newer, stronger, and more secure approaches to data privacy.
The candid expectation set by the EO is that AI-based malware, spoofing, and cyber threats are rampant, particularly in nations where data privacy controls are lax or the data of U.S. consumers can be more easily accessed by foreign governments because these governments claim national security exemptions, allowing them strategic access to manipulate the data.
But the EO also provides hope, noting a process to build new regulations that will standardize the use of privacy-enhancing technologies (PETs) through joint efforts by the DOJ and the Department of Homeland Security. The field of PETs has already been defined and loosely framed through guidance by the National Institute of Standards and Technology, so this effort underway by the EO can strengthen the potential use of the tech.
PETs, which leverages advanced cryptography and statistics to link data (or servers) to allow for responsible data sharing without identifying the data, can include a range of tools such as homomorphic encryption, federated learning, synthetic data, and differential privacy. It is likely that the EO will provide more clarity on the minimum privacy and security requirements – and use of PETs - that companies should be leveraging, which will craft more innovative solutions to data privacy problems.
Future Considerations
While the EO focuses on restricting the bulk purchase and sharing of sensitive data, the EO also leaves a trail of unanswered questions.
- “Sensitive data” is defined to include “genomic and personal health data, financial data, geolocation,” and other personal identifiers, as well as sensitive government data of military members and government sites. Will this sensitive data also be subject to protections in recently passed U.S. state consumer privacy laws, data broker registration laws, as well as older sectoral laws like the Health Information Portability and Accountability Act (HIPAA) or title V of the Gramm–Leach–Bliley Act (GLBA)?
- “United States Government-Related Data” is a specific category of data protected under the order that the “Attorney General determines poses a heightened risk of being exploited by a country of concern to harm United States national security,” due to being linked or linkable to categories of current or recent employees, contractors, or senior officials of the U.S. Federal Government or linkable to sensitive locations controlled by the government (i.e., military bases, government properties, etc.). To what extent will America’s list of foreign adversaries and allies continue to change and evolve over time? How will this impact our digital trade and digital data flows with these nations?
- “Data brokers” is a term defined broadly, capturing a wide swath of third parties that process and share consumer data. Will this result in subjecting many more companies that collect and sell personal data to the EO than those that register as data brokers, subject to U.S. state consumer privacy and data broker laws?
- “Countries of Concern” is defined as any foreign government that (1) “has engaged in a long-term pattern or serious instances of conduct significantly adverse to the national security of the United States or the security and safety of [US] persons” and (2) “poses a significant risk of exploiting bulk sensitive personal data or government-related data to the detriment of national security.” The EO delegates final authority to designate specific countries of concern to the Attorney General. How will the current and future AGs exercise this authority?
Maintaining adequacy in data protection should and will remain a top priority for the U.S., particularly in light of executive action like this one. The uncertainty of the state of transatlantic data flows after the Schrems I and II decisions has placed U.S. data practices under heightened scrutiny. This EO not only signals a desire to make concrete steps to not only protect the commercial and government data of its own citizens, but also signals that the U.S. seeks to partner with other likeminded countries to impose robust data practices that are “adequate” in nature, which will serve as an effort to future-proof and strategically equip the U.S. going forward.
Stay tuned as this landscape continues to evolve. For U.S. companies interested in checking in on compliance for this and other international data transfer laws and requirements, set up a free consultation with BBB National Programs. Building on more than 20 years of experience with cross-border data transfers, BBB National Programs supports businesses of all sizes at all stages of their compliance journey.